Page 218 - Asterisk™: The Future of Telephony
P. 218
Future
SIP has earned its place as the protocol that justified VoIP. All new user and enterprise
products are expected to support SIP, and any existing products will now be a tough
sell unless a migration path to SIP is offered. SIP is widely expected to deliver far more
than VoIP capabilities, including the ability to transmit video, music, and any type of
real-time multimedia. While its use as a ubiquitous general-purpose media transport
mechanism seems doubtful, SIP is unarguably poised to deliver the majority of new
voice applications for the next few years.
Security considerations
SIP uses a challenge/response system to authenticate users. An initial INVITE is sent to
the proxy with which the end device wishes to communicate. The proxy then sends
back a 407 Proxy Authorization Request message, which contains a random set of
characters referred to as a nonce. This nonce is used along with the password to generate
an MD5 hash, which is then sent back in the subsequent INVITE. Assuming the MD5
hash matches the one that the proxy generated, the client is then authenticated.
Denial of Service (DoS) attacks are probably the most common type of attack on VoIP
communications. A DoS attack can occur when a large number of invalid INVITE re-
quests are sent to a proxy server in an attempt to overwhelm the system. These attacks
are relatively simple to implement, and their effects on the users of the system are
immediate. SIP has several methods of minimizing the effects of DoS attacks, but ulti-
mately they are impossible to prevent.
SIP implements a scheme to guarantee that a secure, encrypted transport mechanism
(namely Transport Layer Security, or TLS) is used to establish communication between
the caller and the domain of the callee. Beyond that, the request is sent securely to the
end device, based upon the local security policies of the network. Note that the en-
cryption of the media (that is, the RTP stream) is beyond the scope of SIP itself and
must be dealt with separately.
More information regarding SIP security considerations, including registration hijack-
ing, server impersonation, and session teardown, can be found in Section 26 of SIP RFC
3261.
SIP and NAT
Probably the biggest technical hurdle SIP has to conquer is the challenge of carrying
out transactions across a NAT layer. Because SIP encapsulates addressing information
in its data frames, and NAT happens at a lower network layer, the addressing infor-
mation is not automatically modified and, thus, the media streams will not have the
correct addressing information needed to complete the connection when NAT is in
place. In addition to this, the firewalls normally integrated with NAT will not consider
the incoming media stream to be part of the SIP transaction, and will block the con-
nection. Newer firewalls and Session Border Controllers are SIP-aware, but this is still
190 | Chapter 8: Protocols for VoIP
